Advanced protection

Behavior

Advanced protection enables the monitoring of the processes run on Windows, macOS, and Linux computers and the sending of all generated telemetry to the Cytomic cloud. This information is incorporated into the investigation processes responsible for classifying files as goodware or malware, without ambiguity or classifying files as suspicious. Thanks to this technology, it is possible to detect unknown malware and advanced threats such as APTs on Windows and Linux computers.

Along with these advanced detection features, Cytomic provides a service called Zero-Trust Application Service for Windows computers, which classifies all files found on the customer IT network, leaving no unknown files.

Operating mode (Windows only)

Field	Description
Audit	Allows unknown programs and threats detected to run. Reports known malware.
Hardening	Allows execution of unknown programs already installed on user computers. However, it blocks unknown programs that originate from an untrusted source (such as the Internet, external storage drives, or other computers on the network) until a classification is returned. It disinfects or deletes programs classified as malware.
Lock	Prevents execution of all unknown programs until they are classified. Deletes or disinfects programs already classified as malware.
Operating modes of the advanced protection for Windows

Create Decoy Files to help detect ransomware: Creates bait files on user computers that are permanently monitored by Advanced EDR. If they are modified, these files identify the process that modified them as ransomware, ending it to prevent mass encryption of the file system.
Report blocking to computer users: To show a message in a pop-up alert on the user computer when advanced protection or anti-exploit features block a file, enable the Report blocking to computer users toggle. Optionally, you can type a custom message to include in the alert.

Detect malicious activity (Linux only)

Advanced EDR sends the telemetry received from the monitored Linux workstations and servers to the Cytomic cloud. With this information, Advanced EDR generates contextual rules to stop advanced threats.

Field	Description
Audit	Reports threats detected through contextual rules, but does not block them. Threats detected using other technologies are blocked or disinfected.
Block	Reports and blocks threats detected through contextual rules. Unless you are sure that the detected malicious activity is a legitimate action, it is recommended that you change the setting to Block mode.
Do not detect	Malware found through contextual rules is not detected or reported.
Linux protection operating modes

Advanced security policies

Advanced security policies enable you to detect and block suspicious scripts and unknown programs that use advanced infection techniques on Windows computers. This type of malware is a growing threat to the security of systems.

To enable advanced security policies, click the Enable advanced policies toggle and configure each of the policies listed in Advanced security policies in Advanced EDR with one of these options:

Do not detect: Does not detect the policy or generate any feedback for users or administrators.
Audit: Detects the policy and generates feedback for the administrator in lists and dashboard widgets. See Malware and network visibility.
Block: Advanced EDR prevents the program from running.

Advanced security policies include:

Fields	Description
PowerShell with obfuscated parameters	Detects the number of times the PowerShell interpreter received suspicious parameters that could result in the execution of dangerous operations on the protected computer. This option requires that you enable the anti-exploit protection.
PowerShell run by the user	Detects the number of attempts to run a monitored PowerShell script by an interactive account capable of executing dangerous operations on the protected computer. This option requires that you enable the anti-exploit protection.
Unknown scripts	Detects and/or blocks attempts to run a script that the Cytomic security intelligence team has not classified as safe. This policy helps: Provide visibility into scripts run on the network. Secure hardened servers where program execution is restricted. Prevent the spread of malware on the network if infection is suspected. If you think the protection is generating false positives, consider the possibility of excluding the file from scans. See Files and paths excluded from scans.
Locally compiled programs	Detects the number of attempts to run a program that is unknown to the Cytomic security intelligence team because it was compiled on the user computer.
Documents with macros	Detects the number of attempts to open a Microsoft Office document with macros.
Registry modification to run when Windows starts	Detects the number of times a program tried to add a Windows registry key to gain persistence on the computer and to load with the operating system on every system start.
Advanced security policies in Advanced EDR

Block programs

To increase the security of Windows computers on the network, you can prevent the use of programs you consider dangerous or suspicious.

These programs include:

Programs which, due to the way they run, use too much bandwidth or establish too many connections, negatively impacting the company’s connectivity if run simultaneously by multiple users.
Programs that enable users to access contents that might contain security threats.
Programs that enable users to access contents not related to company activity and which might affect user performance.

To create a new settings profile or edit an existing profile, enter this information:

Fields	Description
Names of the programs to block	Names of the files that you want Advanced EDR to prevent from running. You can paste a list of file names separated by line breaks.
MD5 codes of the programs to block	MD5 codes of the files that you want Advanced EDR to prevent from running. You can paste a list of MD5 codes separated by line breaks.
Configuring a Block Programs security policy

To Notify computer users about blocked applications, enable the toggle. A pop-up message shows on user computers when they try to run a blocked application. In the text box, enter a custom message to show users when Advanced EDR blocks a program.

Anti-exploit protection

Anti-exploit technology is not available on Windows ARM systems.

Anti-exploit protection automatically blocks attempts to exploit vulnerabilities found in the active processes on user computers.

How anti-exploit protection works

Network computers might run trusted processes that include bugs. Although legitimate, these processes are vulnerable because they sometimes do not correctly interpret data received from users or other processes.

If a vulnerable process receives malicious inputs from a hacker, a malfunction can occur that enables the attacker to inject malicious code into areas of memory that the vulnerable process manages. The injected code can cause the compromised process to execute actions it was not programmed for and compromise computer security.

The anti-exploit protection included in Advanced EDR detects attempts to inject malicious code into vulnerable processes run by users, and neutralizes them based on the exploit detected:

Exploit blocking

The solution detects the injection attempt while it is still in progress. Because the injection process does not complete, the targeted process is not compromised and there is no risk to the computer. The exploit is neutralized without the need to end the affected process or restart the computer, and there are no data leaks from the affected process.

The user of the targeted computer receives a block notification, based on the settings configured by the administrator.

Exploit detection

The solution detects the injection after it takes place. Because the vulnerable process already contains malicious code, the solution must end the process before it performs actions that might put computer security at risk.

Regardless of the time between exploit detection and when the compromised process ends, Advanced EDR reports that the computer was at risk. The level of risk depends on the time passed before the process stopped and on the type of malware. Advanced EDR can either end a compromised process automatically to minimize the negative effects of an attack, or prompt the user to end the process and remove it from memory.

If you configure compromised processes to be automatically ended, users could lose information handled by the affected processes. However, by delegating the decision to the user, you enable them to save work or critical information before the compromised process stops.

If it is not possible to end a compromised process, the user is prompted to restart the computer.

Anti-exploit technology compatibility

Cytomic follows all standards recommended by OS manufacturers to make sure its security products are compatible with other antivirus and EDR solutions. Anti-exploit technology is typically implemented with hooks. If more than one solution uses anti-exploit technology, they could be incompatible. We recommend that you only enable one anti-exploit technology.

In Advanced EDR, the technologies that use hooks are:

Anti-exploit
Advanced code injection
Advanced IOAs. See Compatibility of advanced indicators of attack with third-party security solutions.

Anti-exploit protection settings

Anti-exploit: Enable/disable anti-exploit protection.
Advanced code injection: Detects advanced mechanisms to inject code in running processes. This technology uses hooks. Its configuration depends on advanced security policies. See Advanced security policies.
Operating mode (Windows only)

Field	Description
Audit	Reports exploit detections in the web console, but does not take action against them or display information to the user.
Block	Blocks exploit attacks. In some cases, it might be necessary to end the compromised process. Report blocking to the computer user: The user receives a notification, and the compromised process is automatically ended if required. Ask the user for permission to end a compromised process: Prompts users to end a compromised process should it be necessary. This enables users to, for example, save their work or critical information before the compromised process is stopped. Every time a compromised computer needs to restart, the user must provide confirmation, regardless of whether the Ask the user for permission to end a compromised process toggle is enabled.
Operating modes of the Advanced EDR advanced anti-exploit protection

Field

Description

Audit

Reports exploit detections in the web console, but does not take action against them or display information to the user.

Block

Blocks exploit attacks. In some cases, it might be necessary to end the compromised process.

Report blocking to the computer user: The user receives a notification, and the compromised process is automatically ended if required.
Ask the user for permission to end a compromised process: Prompts users to end a compromised process should it be necessary. This enables users to, for example, save their work or critical information before the compromised process is stopped. Every time a compromised computer needs to restart, the user must provide confirmation, regardless of whether the Ask the user for permission to end a compromised process toggle is enabled.

Operating modes of the Advanced EDR advanced anti-exploit protection

Many exploits continue to run malicious code until the relevant process ends. An exploit does not appear as resolved in the Exploit Activity panel on the Security dashboard in the web console until the compromised program terminates.

Network attack protection

Many security incidents begin with attacks that exploit vulnerabilities in Internet-exposed services. If adversaries achieve their goals and an organization is infected, it is then necessary to halt the attack within the corporate network.

Network attack protection detects and blocks threats by scanning network traffic in real time. It prevents network attacks that attempt to exploit vulnerabilities in services that are open to the Internet and in the internal network.

For more information about network attack protection detections, see https://www.pandasecurity.com/es/support/card?id=700145.

Field	Description
Block	Blocks traffic in a network attack. This is the default option.
Audit	Reports network attacks in the web console, but does not take action against them or display information to the user.
Operating modes of network attack protection in Advanced EDR

Privacy

Advanced EDR collects the name and full path of the files it sends to the Cytomic cloud for analysis, as well as the name of the logged-in user. This information is used in the reports and forensic analysis tools shown in the web console. If you do not want to send this information, clear the relevant checkbox in the Privacy section.

Network usage

Advanced EDR compresses and sends every unknown executable file found on user computers to the Cytomic cloud for analysis The maximum size of compressed files that the agent sends for analysis is 50 MB.

This behavior is configured so that it has no impact on the customer’s network bandwidth.

The solution only sends a maximum 50 MB of files to the cloud each hour for each client.
The agent sends each unknown file once only for all customers who use Advanced EDR.
The solution implements bandwidth management mechanisms to prevent intensive usage of network resources

To configure the maximum number of MB that an agent can send each hour, enter a value in the corresponding box. Click OK. To establish unlimited transfers, set the value to 0.